Reputation: 7004
HTTPS + SSL on Heroku - Node + Express
I've created a self-signed certificate, added it to Heroku, and provisioned an SSL endpoint on Heroku, and I log heroku certs:info it seems to be there.
I'm creating my server on Express like so:
var server = require('http').createServer(app);
And then redirecting to https like so:
app.use(function(req, res, next) {
var reqType = req.headers["x-forwarded-proto"];
reqType == 'https' ? next() : res.redirect("https://" + req.headers.host + req.url);
});
The server runs fine, however I came across this code snippet on S.O. to create an https server:
var keys_dir = './sslcert/';
var server_options = {
key : fs.readFileSync(keys_dir + 'server.key'),
ca : fs.readFileSync(keys_dir + 'server.csr'),
cert : fs.readFileSync(keys_dir + 'server.crt')
}
var server = require('https').createServer(server_options,app);
I don't point to the certs/keys like this example, and my site is running on https (although the lock is red since it's self-signed).
So my question is, how does my server know about my keys/certs without me explicitly pointing to them like the code snippet with
server_options? Is this taken care of by Heroku behind the scenes?How does the SSL Endpoint I setup on Heroku interact with the
httpserver I created withvar server = require('http').createServer(app);?
EDIT
I just so this answer on another question:
"SSL termination occurs at Heroku's load balancers; they send your app plain (non-SSL) traffic, so your app should create a non-HTTPS server."
- What does
they send your app plain (non-SSL) trafficmean exactly? Does this mean that I don't have to redirect tohttpsin my app?
Upvotes: 24
Views: 21466
Answers (1)
Reputation: 13598
SSL termination is done on Heroku servers/load-balancers before the traffic gets to your application. The "thing" you added your cert to was not your dyno, but rather a Heroku-controlled server.
So when SSL (https) traffic comes in, it is "stopped" (terminated) at the server. That server opens a new http connection to your dyno, and whatever is gets it sends back over https to the client.
So on your dyno you don't need to "mess" with certs etc, and you will be seeing only incoming http traffic: whether directly from http clients, or from Heroku servers who talk https to clients and http to you.
Redirecting to https is a different matter: if a client "comes" to your app with http, and you prefer they use https, by all means redirect. They will issue a new request, this time https, and go thru Heroku's SSL termination and then to your app. But now you know that the path between the client and Heroku is secure (due to the client using https), and the path between the Heroku SSL termination and your dyno is presumably secure (if you trust Heroku...)
HTH
Upvotes: 55
Related Questions
- HTTPS NodeJS and Heroku. Forcing HTTPS?
- HTTPS Node.js application on Heroku
- Create http or https server for Node.js on Heroku
- Redirecting Heroku NodeJS app to https
- React, NodeJS, Express and Heroku. HTTPS inconsistency error
- ERR_SSL_PROTOCOL_ERROR with Heroku, Node, Express, SSL
- Disable HTTPS on Heroku Node.js/Express App
- Forcing HTTPS for Node.js app on Heroku
- Node.JS, Express and Heroku - how to handle HTTP and HTTPS?
- Heroku piggyback SSL with node and express - any config needed?